Symantec has identified a new ransomware operation called Buhti, also known as Blacktail, that targets both Linux and Windows systems. The operation has been rapidly expanding since mid-April, using LockBit and Babuk variants to exploit vulnerabilities for initial access and steal victim files. Buhti operators utilize a modified version of LockBit 3.0 for Windows machines and Golang-based Babuk variants for Linux systems. They also employ a custom information stealer and exploit recent vulnerabilities, such as CVE-2023-27350 and CVE-2022-47986, to execute remote code and carry out data theft. Buhti has been observed targeting organizations globally.
About OODA Analyst
OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.